GDPR Policy

The General Data Protection Regulation (GDPR) comes in to force on the 25th May 2018

This document is our policy which clearly outlines outline how we as an organisation will comply with this piece of legislation. It also provides valuable information to individuals on their rights and how to contact us.

Why we need to hold data and the type of data we may hold

The Academy of Practical Horticulture Limited and B.E.S.T in Horticulture Limited (described as the companies) hold personal data related to customers in pursuance of their lawful activities as providers of Face to Face, Blended , Distance Learning and Bespoke Training and Education. Personal data may be any of the following: "information related to a natural person or 'Data Subject', that can be used to directly or indirectly identify the person. It can be anything from a name, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer IP address".

Our data controller, data processors and their roles

The companies Data Controller is: Tony Davies. The Data Controller determines the purposes, conditions and means of the processing of personal data, while authorised data processors processes personal data on behalf of the controller. The companies' data processors (persons who may have access or use your personal information in respect of their lawful activities) include:

  • Directors of the Companies
  • The Courses Manager
  • The Accounts Manager
  • Administrators
  • Course Tutors

Our legal responsibilities in respect of data

1. Under this legislation the companies are required to obtain clear consent to use sensitive personal data, and must provide an opportunity for consent to be withdrawn. The opportunity to provide consent is provided in the following ways:

  • via the tick box when requesting course information
  • via the tick box when booking any course

2. The opportunity to withdraw consent is provided in the following ways:

  • by completing the data consent withdrawal form
  • or by notifying the Data Controller in writing that you wish to withdraw your consent

3. Parental consent will be required to process the personal data of children under the age of 16 for online services.

4. Data breaches which may pose a risk to individuals must be notified to the DPA within 72 hours and to affected individuals without undue delay. We undertake to notify individuals of any data breach within 7 days.

5. Individuals have the right to obtain confirmation from the Data Controller as to whether or not personal data concerning them is being processed, where and for what purpose. In addition, the Data Controller is required to provide a copy of the personal data, free of charge, in an electronic format.

All requests should be addressed to The Data Controller:
18 St James Close,
Nr. Evesham,
WR11 8PZ


If we hold information about you, we will:

  • give you a description of the information held
  • tell you why we are holding the information
  • tell you whom the information could be disclosed to
  • give you an accurate copy of the information we hold

6. You have the 'right to be forgotten'

This gives you the right to have the data controller erase your personal data, cease further dissemination of the data, and potentially have third parties halt processing of the data. As an organisation it is our policy not to sell or pass your data to third parties.

Please note: The exception is data stored and used for registration with awarding bodies for certification purposes and information used solely for accounting requirements, where other legal precedence may require this data to remain stored for the purposes of audit by our Accountants or HMRC.

7. You have the right to receive personal data concerning you in a commonly used electronic format.

We can provide your information in:

  • Word
  • Publisher
  • Excel

8. Under this legislation The Data Controller will only hold and process only the data absolutely necessary for the completion of their duties (data minimisation), as well as limiting the access to personal data to only those needing it for essential processing activities in pursuance of the companies lawful activities. The use of your personal data is restricted to the following activities:

  • to commence enrolment on any of our provisions
  • to comply with an awarding body's requirements in respect of registration and certification
  • to fulfil orders for products or services
  • to process invoices, credit notes, receipts (payments) in any format
  • to communicate with you about our provision
  • to address or respond to any correspondence or complaint
  • to circulate customer satisfaction surveys

A Data Protection Officer for the companies has been appointed on the basis of professional qualities and, in particular, expert knowledge on data protection law and practices. They have been provided with the appropriate resources to carry out their tasks and maintain their expert knowledge. They report to the Data Controller, who is a Director of both companies.

The Data Protection Officer is: Janet Prescott

By giving us your personal data and consenting, you agree to accept the terms of this policy.

All questions relating to The General Data Protection Regulation should be addressed to the Data Controller using the contact information provided.